Abstract: In recent years, malware has evolved by introducing novel techniques to foil analysis and identification. For example, cybercriminals routinely tweak their malicious web content to create new and more effective variants (for example, by incorporating exploits targeting newly-discovered vulnerabilities) or to evade commonly-used defensive tools. In addition, the programs that persist on infected machines are increasingly more stealthy and environment-aware. In this presentation, we present research on characterizing, tracking, and analyzing the evolution of evasive malware (both in binary form and as web content). We highlight possible approaches for the automated detection of evasions, and we describe our experience in observing evasive malware in a number of real-world deployments.

Biography: Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO of Lastline, Inc. His current research interests include malware analysis, web security, vulnerability assessment, and intrusion detection. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy (S&P 2011). He is known for organizing and running the world's largest inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world.

Abstract:
Drive-by downloads are the preferred distribution vector for many malware
families. In the drive-by ecosystem many exploit servers run the same
exploit kit and it is a challenge understanding whether the exploit server
is part of a larger operation. In this paper we propose a technique to
identify exploit servers managed by the same organization. We collect over
time how exploit servers are configured and what malware they distribute,
grouping servers with similar configurations into operations. Our
operational analysis reveals that although individual exploit servers have a
median lifetime of 16 hours, long-lived operations exist that operate for
several months. To sustain long-lived operations miscreants are turning to
the cloud, with 60% of the exploit servers hosted by specialized cloud
hosting services. We also observe operations that distribute multiple
malware families and that pay-per-install affiliate programs are managing
exploit servers for their affiliates to convert traffic into installations.
To understand how difficult is to take down exploit servers, we analyze the
abuse reporting process and issue abuse reports for 19 long-lived servers.
We describe the interaction with ISPs and hosting providers and monitor the
result of the report. We find that 61\% of the reports are not even
acknowledged. On average an exploit server still lives for 4.3 days after a
report.

Abstract:
Botmasters increasingly encrypt command-and-control (C&C) communication to
evade existing intrusion detection systems. Our detailed C&C traffic
analysis shows that at least ten prevalent malware families avoid well-known
C&C carrier protocols, such as IRC and HTTP. Six of these families - e.g.,
Zeus P2P, Pramro, Virut, and Sality - do not exhibit any characteristic
n-gram that could serve as payload-based signature in an IDS. Given
knowledge of the C&C encryption algorithms, we detect these evasive C&C
protocols by decrypting any packet captured on the network. In order to
test if the decryption results in messages that stem from malware, we
propose PROVEX, a system that automatically derives probabilistic vectorized
signatures. PROVEX learns characteristic values for fields in the C&C
protocol by evaluating byte probabilities in C&C input traces used for
training. This way, we identify the syntax of C&C messages without the need
to manually specify C&C protocol semantics, purely based on network traffic.
Our evaluation shows that PROVEX can detect all studied malware families,
most of which are not detectable with traditional means. Despite its naive
approach to decrypt all traffic, we show that PROVEX scales up to multiple
Gbit/s line speed networks.

Abstract:
The ever-growing malware threat in the cyber space calls for techniques that
are more effective than widely deployed signature-based detection systems
and more scalable than manual reverse engineering by forensic experts. To
counter large volumes of malware variants, machine learning techniques have
been applied recently for automated malware classification. Despite the
successes made from these efforts, we still lack a basic understanding of
some key issues, such as what features we should use and which classifiers
perform well on malware data. Against this backdrop, the goal of this work
is to explore discriminatory features for automated malware classification.
We conduct a systematic study on the discriminative power of various types
of features extracted from malware programs, and experiment with different
combinations of feature selection algorithms and classifiers. Our results
not only offer insights into what features most distinguish malware
families, but also shed light on how to develop scalable techniques for
automated malware classification in practice.

Abstract: The increased interest of nation-state actors in offensive
strategies for espionage and military expands the threat landscape into a
previously underrated dimension. This talk will explore the difference
between the relatively well researched cybercrime actors and the new
players, look at examples of successful operations and why our currently
deployed defenses are no match for them. Also, a few suggestions for
mid-term research to counter this global development will be given.

Biography: Felix 'FX' Lindner is the founder as well as the technical and
research lead of Recurity Labs GmbH, a high-end security consulting and
research team, specializing in code analysis and design of secure systems
and protocols. Well known within the computer security community, he has
presented his research for over a decade at conferences worldwide. Felix
holds a title as German State-Certified Technical Assistant for Informatics
and Information Technology as well as Certified Information Systems Security
Professional, is specialized in digital attack technologies, but recently
changed the direction of his research to defense, since the later seems to
be a lot less fun.

Abstract:
In this paper we present PeerRush, a novel system for the identification of
unwanted P2P traffic. Unlike most previous work, PeerRush goes beyond P2P
traffic detection, and can accurately categorize the detected P2P traffic
and attribute it to specific P2P applications, including malicious
applications such as P2P botnets. PeerRush achieves these results without
the need of deep packet inspection, and can accurately identify applications
that use encrypted P2P traffic. We implemented a prototype version of
PeerRush and performed an extensive evaluation of the system over a variety
of P2P traffic datasets. Our results show that we can detect all the
considered types of P2P traffic with up to 99.5% true positives and 0.1%
false positives. Furthermore, PeerRush can attribute the P2P traffic to a
specific P2P application with a misclassification rate of 0.68% or less.

Abstract:
We present ErDOS, an Early Detection scheme for Outgoing Spam. The
detection approach implemented by ErDOS combines content-based detection and
features based on inter-account communication patterns. We define new
account features, based on the ratio between the numbers of sent and
received emails and on the distribution of emails received from different
accounts. Our empirical evaluation of ErDOS is based on a real-life
data-set collected by an email service provider, much larger than data-sets
previously used for outgoing-spam detection research. It establishes that
ErDOS is able to provide early detection for a significant fraction of the
spammers population, that is, it identifies these accounts as spammers
before they are detected as such by a content-based detector. Moreover,
ErDOS only requires a single day of training data for providing a
high-quality list of suspect accounts.

16:30

End of program (Thursday)

17:00

Meeting of SIG SIDAR (in German)

18:00

Social Events:Guided tour from Moevenpick Hotel to the Reichstag building including a gala dinner on the top floor(Your passport will be required!)

Abstract: The network infrastructure of any government is under
constant attack from cyber criminals and intelligence agencies in
addition to the normal daily attacks. In 2009 the German government
passed a law addressing this issue by permitting the BSI (Federal
Office for Information Security) to scan government network traffic to
and from the WWW for malicious content. The systems used for this
purpose will be described and the successes and shortcomings will be
discussed. Furthermore, as the attackers have vast resources and are
very skillfull, e.g. they use zero-day exploits for this purpose and
change their malware code frequently, standard virus-scanners are
becoming increasingly ineffective. In order to detect this kind of
attacks the development of new detection methods is
necessary. Therefore, in order to be able to detect APTs (advanced
persistent threats) the BSI uses, in addition to more traditional
detection methods, various techniques. On of the techniques applies
machine learning to detect attacks. This machine learning example is
used to address the need for the development of new detection methods
and their applicability in real-world setups.

Biography: Robert Krawczyk is working at the BSI (Federal Office for
Information Security) in Bonn in the network defence section. He
graduated from the University of Cologne and received a Doctorate in
Chemistry in 2003 from the Technical University of Munich. After his
Ph.D. he stayed from 2003 to 2005 as a Feodor-Lynen Fellow at the
University of Auckland in New Zealand and worked until 2006 as a
Resear Officer at the Massey University in Auckland. In 2006 he
switched carreer to an IT-Security Consultant for a small company
(Infodas) in Cologne, before finally moving to the BSI in 2008. His
interest is the development and implementation of new detection methods of attacks.

Abstract:
Content Security Policies (CSP) provide powerful means to mitigate most XSS
exploits. However, CSP's protection is incomplete. Insecure server-side
JavaScript generation and attacker control over script-sources can lead to
XSS conditions which cannot be mitigated by CSP. In this paper we propose
PreparedJS, an extension to CSP which takes these weaknesses into account.
Through the combination of a safe script templating mechanism with a
light-weight script checksumming scheme, PreparedJS is able to fill the
identified gaps in CSP's protection capabilities.

Abstract:
A poorly designed web browser extension with a security vulnerability
may expose the whole system to an attacker. Therefore, attacks
directed at "benign-but-buggy" extensions, as well as extensions
that have been written with malicious intents pose significant
security threats to a system running such components. Recent studies
have indeed shown that many Firefox extensions are over-privileged,
making them attractive attack targets. Unfortunately, users currently
do not have many options when it comes to protecting themselves from
extensions that may potentially be malicious. Once installed and
executed, the extension needs to be trusted. This paper
introduces SENTINEL, a policy enforcer for the Firefox browser that
gives fine-grained control to the user over the actions of existing
JavaScript Firefox extensions. The user is able to define policies (or
use predefined ones) and block common attacks such as data
exfiltration, remote code execution, saved password theft, and
preference modification. Our evaluation of SENTINEL shows that our
prototype implementation can effectively prevent concrete, real-world
Firefox extension attacks without a detrimental impact on users'
browsing experience.

Abstract:
Web-based mechanisms, often mediated by malicious JavaScript code, play an
important role in malware delivery today, making defenses against web-borne
malware crucial for system security. This paper explores weaknesses in
existing approaches to the detection of malicious JavaScript code. These
approaches generally fall into two categories: lightweight techniques
focusing on syntactic features such as string obfuscation and dynamic code
generation; and heavier-weight approaches that look for deeper semantic
characteristics such as the presence of shellcode-like strings or execution
of exploit code. We show that each of these approaches has its weaknesses,
and that state-of-the-art detectors using these techniques can be defeated
using cloaking techniques that combine emulation with dynamic anti-analysis
checks. Our goal is to promote a discussion in the research community
focusing on robust defensive techniques rather than ad-hoc solutions.

Abstract:
SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing
and other attacks against Internet services such as online banking. Today,
SMS OTPs are commonly used for authentication and authorization for many
different applications. Recently, SMS OTPs have come under heavy attack,
especially by smartphone Trojans. In this paper, we analyze the security
architecture of SMS OTP systems and study attacks that pose a threat to
Internet-based authentication and authorization services. We determined
that the two foundations SMS OTP is built on, cellular networks and mobile
handsets, were completely different at the time when SMS OTP was designed
and introduced. Throughout this work, we show why SMS OTP systems cannot be
considered secure anymore. Based on our findings, we propose mechanisms to
secure SMS OTPs against common attacks and specifically against smartphone
Trojans.

Abstract:
The trend of introducing common information and communication technologies
into automation control systems induces besides many benefits new security
risks to industrial plants and critical infrastructures. The increasing use
of Internet protocols in industrial control systems combined with the
introduction of Industrial Ethernet on the field level facilitate malicious
intrusions into automation systems. The detection of such intrusions
requires a detailed vulnerability analysis of the deployed protocols to find
possible attacks. Profinet IO is one of the emerging protocols for
decentralized control in the European automation industry which has found
wide application. In this paper, we describe as results of a vulnerability
analysis of the Profinet IO protocol several possible attacks on this
protocol. Thereafter we discuss an appropriate protection of automation
networks using anomaly-based intrusion detection as an effective
countermeasure to address these attacks.

Abstract:
The last twenty years have witnessed the constant reaction of the security
community to memory corruption attacks and the evolution of attacking
techniques in order to circumvent the newly-deployed countermeasures. In
this evolution, the heap of a process received little attention and thus
today, the problem of heap overflows is largely unsolved. In this paper we
present HeapSentry, a system designed to detect and stop heap overflow
attacks through the cooperation of the memory allocation library of a
program and the operating system's kernel. HeapSentry places unique random
canaries at the end of each heap object which are later checked by the
kernel, before system calls are allowed to proceed. HeapSentry operates on
binaries (no source code needed) and has, by design, no false-positives. At
the same time, the active involvement of the kernel provides stronger
security guarantees than the current state of the art in heap protection
mechanisms for a modest performance overhead.

Abstract:
We often rely on system components implemented by potentially untrusted
parties. This implies the risk of backdoors, i.e., hidden mechanisms that
elevate the privileges of an unauthenticated adversary or execute other
malicious actions on certain triggers. Hardware backdoors have received
some attention lately and we address in this paper the risk of software
backdoors. We present a design approach for server applications that can --
under certain assumptions -- protect against software backdoors aiming at
privilege escalation. We have implemented a proof-of-concept FTP server to
demonstrate the practical feasibility of our approach.